Why does DRA generate three audit log entries when adding or removing users from Security groups?

  • 7018816
  • 19-Apr-2017
  • 21-Apr-2017

Environment

NetIQ Directory & Resource Administrator 8.7.x
NetIQ Directory & Resource Administrator 9.0.x

Situation

Why does DRA generate three audit log entries when adding or removing users from Security groups?
 

Resolution

When using DRA to add or remove a user from a security group you will often see three audit log entries, but only one entry if you were to do the same operation using native Active Directory tools (ADU&C).

 

For example, removing a member from group generates the following three audit messages: remove, add and remove again:

 

A member was removed from a security-enabled global group.  (EventID 4729)

A member was added to a security-enabled global group.  (EventID 4728)

A member was removed from a security-enabled global group.  (EventID 4729)
 
This is by design.
 

This is happening because DRA is actually adding the user to the group, then removing the user from the group, then adding the user to the group again.  The DRA server needs to check the powers that the Assistant Admin (AA) currently has over the group and the user, and the powers that the AA will have over them after the user has been added to the group (or removed from).  This check can only be performed if the user is a member of the group.  

 

After performing this check the user is removed from the group because the DRA server still has to execute policies and triggers and if any of these fail we don't want the user to be left as a member of the group.  Once DRA has executed the policies and triggers, validated the input, performed the license check, and checked the AA's powers, it will add the user to the group (or remove it).